Most network administrators would say they want the most secure network they can manage. But if security comes down to offending end users or upper management, are you prepared to force the issue?

Microsoft Windows NT 4.0 Service Pack 2 and Windows 2000 networks offer an option that forces strong password functionality on users. The problem is that many users—and, perhaps more importantly, many managers—will be frustrated by a strict password policy. And if you select this option, you can’t exempt anyone.

The topic of passwords came up recently in our Technical Q&A when member LouAnne asked whether changing password settings on her network would lock out current users with passwords of fewer than six characters. She also wanted to know whether she could exclude particular users from the restrictions.

Within a few hours, Joseph Moore responded that setting the password length won’t lock out current users who don’t meet the new requirement, but it will give them an error message if they don’t meet the requirement the next time they change their passwords. He recommended that LouAnne couple the password length setting with the password expiration setting to force users to change their passwords to follow the new policy.

The default length of time before password expiration will require a new password is 42 days, which Moore said works okay. However, he also noted that once you set up the policy in Windows, no one can be excluded from it—not even the administrator account(s).

Going an extra step toward security
While forcing users to have passwords of a certain minimum length may be a good start toward improving password security, you can go further. However, enforcing additional restrictions may have a price.

Moore told LouAnne that if she really wants to get tough on password security, she could turn on the Password Must Meet Complexity Requirements option.

“That will really frustrate your users, but it is a good thing from a security standpoint,” he wrote.

Because LouAnne noted in her original question that she is administering a Windows 2000 network, Moore pointed her to an article in Microsoft’s Knowledge Base that discusses the options for her network.

The article describes in detail how to enable the option in Windows 2000 and refers readers to an earlier article published when the option was introduced in Service Pack 2 for NT 4.0.

According to Microsoft, if you use this strong password option, the policy will be hard-coded into the Passfilt.dll file in NT 4.0 and can’t be changed through either the user interface or Registry hacks. This functionality is achieved in Windows 2000 through the Default Domain Controllers Policy Group Policy Object.

This option creates a policy with these requirements:

  • The password must be six characters or longer.
  • The password can’t contain any part of the user’s full name or username.
  • The password must contain characters from three of four classes of characters.

The four classes of characters are:

  • English uppercase letters (A, B, C, etc.).
  • English lowercase letters (a, b, c, etc.).
  • Arabic numerals (0, 1, 2, 3, etc.).
  • Special characters (an exclamation point [!], an asterisk [*], a dollar sign [$], or other punctuation symbols).

So what’s the problem?
If everyone agrees that strong passwords are a good thing for network security, why doesn’t every network administrator require them?

The most obvious answer is that end users will find it hard to remember anything as complicated as a password that uses three of the four character groups. As a result, they’ll get around the issue with tricks that compromise security—like posting their passwords on sticky notes on their monitors.

What do you think about password requirements?

We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.